Re: About change Name of the management server R8...

Lei_Liu · ‎2019-02-27

@

Hi Guys,

Have a good day!

Our customer has already established the management server R80.10, Name of the management server is CPSMC01,

CPSMC01 is including ICA of the management server R80.10.

But unfortunately the customer's leader wants to change name of management server from CPSMC01 to CheckPointSMC01.

Question:

if we change from CPSMC01 to CheckPointSMC01, not do fwm SIC_reset, what happen for the management ICA ?

or I must do fwm sic_reset to create a new ICA.

Thanks a lot

Lei Liu

Kaspars_Zibarts · ‎2019-02-27

Hi you will have to re-do ICA as per SK below

Changing a Security Management (SmartCenter) Name

Lei_Liu · ‎2019-02-27

I have already followed sk14532, sk92752,sk66265,sk34373, unfortunately the ICA still can not reset successfully, via fwm sic_reset.

Thanks a lot.

Kaspars_Zibarts · ‎2019-02-27

Did you follow through all steps described in sk42071? If you have and it does not work, raise TAC case with CP

Lei_Liu · ‎2019-02-27

Hi Kaspars,

Thank you for your response!

Yes, i have followed sk42071, when do fwm sic_reset, there were some errors:

[Expert@NF-307-Mgmt-202-236:0]# fwm sic_reset
***************** Warning: ****************
This operation will reset the Secure Internal Communication (SIC).
The internal Certificate Authority will be destroyed and ALL remote Check Point Components,
including VPN and Endpoint clients, will not be able to communicate.

In case of Endpoint & VPN clients, this action is not REVERSIBLE which means that clients
will lose connection with the Server and the only way to re-establish it can be done by
re-issuing all certificates (for VPN) or by the re-connect tool for Endpoint clients.

Server communication can be re-established if the following operations are implemented:
1. Re-initialize the Internal Certificate Authority (use cpconfig).
2. Restart Check Point Services (cpstart, cpridstart).
3. Reset SIC on each Station that is managed by this Security Management Server.
4. Re-establish Trust with each Station that is managed by
this Security Management Server.
*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the SmartDashboard) so that
the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed

By the way, in fact, we did not enable vpn software blade in any gateway with the management server.

BRs,

Lei Liu

Kaspars_Zibarts · ‎2019-02-27

You should have removed all certs in step 5 of the procedure. What do you get when you run this:

grep -in cert $FWDIR/conf/objects_5_0.C | grep -A 4 ': (defaultCert'

Lei_Liu · ‎2019-02-27

Hi Kaspars,

Thank you for your reply!

You are right. i established a gateway via wizard, enable vpn software blade, and then remove certificate of the gateway. after install database, at once i check objects_5_0.C included : certificate( ) refer to sk62695 , Now i can execute fwm sic_reset successfully.

Thank you very much!

BRs,

Lei Liu

vince_02 · ‎2019-09-08

Hi Lei_Liu,

May I know if you successfully change the hostname after resetting and regenerate SIC cert?

Thanks,

Are you a member of CheckMates?

About change Name of the management server R80.10 Question.